Decoding Cyber Defense: CERT-UA's Battle Against Cyber Threats


Published on Jul 20, 2023   —   2 min read

In this post, we delve into the world of cybersecurity, focusing on the efforts of Ukraine's Computer Emergency Response Team (CERT-UA) in combating these threats.

The Role of CERT-UA in Cyber Defense

CERT-UA, the Ukrainian government's response team for computer emergencies, has been actively taking measures to counter cyber threats. Since 2022, they have been tracking an activity identified as UAC-0024, which involves targeted cyber attacks aimed at defense forces for espionage purposes.

Understanding the Threat: The Case of CAPIBAR

One of the primary threats tracked by CERT-UA is a malicious program known as CAPIBAR. This program, also known as "DeliveryCheck" by Microsoft and "GAMEDAY" by Mandiant, uses a server-side component typically installed on compromised MS Exchange servers. It employs a variety of techniques, including Extensible Stylesheet Language Transformations (XSLT) and COM-hijacking, effectively turning a legitimate server into a control center for the malicious program.

The Initial Compromise: A Closer Look

The initial compromise often involves sending emails with an attachment in the form of a document containing a macro. In some cases, the attackers modify documents, adding a few lines of code to the structure of a legitimate macro, which triggers the launch of PowerShell.

The Power of KAZUAR: A Multifunctional Backdoor

Under certain circumstances, a complex multifunctional backdoor known as KAZUAR is loaded onto the affected computers. KAZUAR boasts over 40 functions, including data theft from operating system logs, authentication data, and database/configuration files of various programs.

The Turla Connection: Linking Threats to the FSB of Russia

Based on the tactics, techniques, and procedures used, as well as the use of the KAZUAR program, the activity (UAC-0024) is associated with a high degree of confidence with the Turla group (UAC-0003, KRYPTON, Secret Blizzard), whose activities are directed by the FSB of Russia.

CERT-UA's Proactive Measures: Collaborative Defense

In an effort to create favorable conditions for threat detection, CERT-UA has distributed samples of the malicious programs among cybersecurity companies. This collaborative approach enhances the collective defense against these cyber threats.

Acknowledging Allies: A Shoutout to Microsoft Threat Intelligence

CERT-UA extends its gratitude to the Microsoft Threat Intelligence team for their continuous assistance in combating cyber threats on a national scale. Their collaboration is a testament to the power of collective efforts in the fight against cybercrime.

Conclusion: The Collective Fight Against Cyber Threats

The battle against cyber threats is a collective one. It requires the concerted efforts of individuals, organizations, and nations. As we continue to navigate the digital landscape, teams like CERT-UA play a crucial role in safeguarding our cyber space. Their work serves as a reminder of the importance of vigilance, collaboration, and proactive defense in the face of evolving cyber threats.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.